DEBIAN-CVE-2026-31444

In the Linux kernel, the following vulnerability has been resolved:  ksmbd: fix use-after-free and NULL deref in smbgrantoplock()  smbgrantoplock() has two issues in the oplock publication sequence:  1) opinfo is linked into ci->moplist (via opinfoadd) before    addleasegloballist() is called.  If addleasegloballist()    fails (kmalloc returns NULL), the error path frees the opinfo    via freeopinfo() while it is still linked in ci->moplist.    Concurrent moplist readers (opinfogetlist, or direct iteration    in smbbreakalllevIIoplock) dereference the freed node.  2) opinfo->ofp is assigned after addleasegloballist() publishes    the opinfo on the global lease list.  A concurrent    findsameleasekey() can walk the lease list and dereference    opinfo->ofp->fci while ofp is still NULL.  Fix by restructuring the publication sequence to eliminate post-publish failure:  - Set opinfo->ofp before any list publication (fixes NULL deref). - Preallocate leasetable via allocleasetable() before opinfoadd()   so addleasegloballist() becomes infallible after publication. - Keep the original moplist publication order (opinfoadd before   lease list) so concurrent opens via sameclienthaslease() and   opinfogetlist() still see the in-flight grant. - Use opinfoput() instead of freeopinfo() on errout so that   the RCU-deferred free path is used.  This also requires splitting addleasegloballist() to take a preallocated lease_table and changing its return type from int to void, since it can no longer fail.